Kelihos: not Alien Resurrection, more Attack of the Clones

How the Kelihos botnet survived a stake through the heart, and some alternatives to garlic and silver bullets.

Our colleagues at ESET UK drew my attention to another article on the resurrection of the Kelihos botnet (Win32/Kelihos). The article is based on the abuse.ch analysis of a particular sample. The analysis is interesting and well executed, but the reappearance of Kelihos isn’t exactly hot off the press: there were several reports to that effect over a month ago, and some of those reports suggested that the new version appeared almost as soon as Microsoft’s takedown was publicized.

While Nuwar/Storm and Waledac are programmatically different, ESET researchers believe that they’re linked by a common operation, though we wouldn’t describe them as the same malware family so persistence (in a non-technical sense) is not unexpected from this gang. What’s more, use of fast flux, while not generally common among botnets nowadays, is common to all three of these malware families.

The significance of the switch to .eu noted by the Swiss security blog is probably only that the .cc TLD is mostly used by malware (and so blocked by default by some AV companies). Back in summer 2011 Google actually blocked .cz.cc en bloc. The company may or may not have intended to block with quite that wide a range, but activity by Kelihos (among others) would have contributed to that reaction. The .eu TLD has a much higher proportion of legitimate users, and is less likely to be blocked generically.

Kelihos is a peer-to-peer botnet, rather than relying on a Command & Control (C&C) topology, but our researchers think that the takedown was successful, and that it’s unlikely that the botmaster simply regained control of part of the botnet. Microsoft originally took down the botnet by sinkholing, redirecting drones polling for task instructions to a system that Microsoft controlled, while Kaspersky flooded the peer lists, replacing all the peer entries with the address of the sinkhole server. We think that the gang started over – rather as happened with the transition from Waledac to Kelihos – but using the same base code. My colleagues Pierre-Marc Bureau and Sébastien Duquette have seen evidence that it’s being installed through PPI (pay-per-install, a business model heavily used by TDSS), making use of other botnets for the installation, supporting that hypothesis.

Historically, Kelihos has been mostly associated with spam dissemination (mostly stock-fraud related and pharmaceutical spam), though it has also monitored network traffic for HTTP and FTP credentials (used to further its spamming activities), and to scan victim hard disks looking for email addresses, presumably as potential spam targets. Spammers don’t generally discriminate between home users and work addresses, so individuals should be looking out at home and at work for eyecatching spam such as greetings cards. In the past these have linked to malware passed off as a Flash player or the like. Last year, it was also using the .LNK vulnerability originally exploited by Stuxnet to infect via removable drives. Our researchers are well aware of the resurgence, and actively tracking it through fast flux, so it’s reasonable to assume that other vendors are doing much the same. That means systems which are not properly protected by AV will be most at risk.

Hat tip to Pierre-Marc and Sébastien for the additional information: of course, most of what I know about Kelihos comes from ESET Canada research anyway. :)